Docker Cryptojacking (Trojan) – Malware

Overview

A recently uncovered cryptojacking campaign has raised alarm bells within the cybersecurity community, as it exploits vulnerabilities in Docker and Kubernetes environments to mine cryptocurrency at a massive scale. The campaign, discovered by Datadog Security Research, takes advantage of misconfigurations and exposed API endpoints within Docker and Kubernetes, leveraging these cloud-native technologies to spread malware and hijack computing resources across compromised networks. This attack targets both individual containers and larger cloud infrastructures, such as Docker Swarm clusters and Kubernetes nodes, utilizing sophisticated techniques to propagate, evade detection, and maximize its cryptocurrency mining operations.

At the heart of the attack is the exploitation of Docker Engine’s open API, which is often exposed to the internet without proper authentication. This allows attackers to deploy malicious containers on vulnerable systems, marking the first step in their strategy. The attackers then deploy a cryptocurrency mining script, XMRig, onto the infected containers, which mines Monero (XMR), a privacy-focused cryptocurrency. The miners consume significant computational resources, slowing down system performance and causing operational disruptions. The threat actors also employ advanced persistence techniques to ensure the malware remains hidden and operates uninterrupted, including methods like Dynamic Linker Hijacking, which allows the miner to avoid detection by system monitoring tools.

Targets

Information

How they operate

The campaign begins with the identification of vulnerable Docker API endpoints that are exposed to the internet without proper authentication. Attackers use internet scanning tools like Masscan and ZGrab to locate these endpoints on compromised nodes. Once a vulnerable Docker endpoint is located, the attackers issue commands through the API to spawn a malicious Alpine container. The container is configured to mount the host’s file system, allowing the malware to execute commands that retrieve an initialization script from an external server. This script, once executed, sets the stage for the broader infection and begins the process of installing the mining software. If the system is running with root privileges, the malware downloads the official XMRig setup script from GitHub and executes it on the infected container. If the system is non-root, the malware installs a custom version of XMRig as an alternative method of deploying the miner.

To ensure the mining process runs undetected, the malware takes several steps to hide its presence. A process hider, compiled as a Linux shared object, is downloaded from the attacker-controlled server and saved to the “/etc/rig.so” directory. The shared object is then registered with the dynamic linker through a technique known as Dynamic Linker Hijacking. This ensures that any mining process, such as XMRig, remains invisible to system monitoring tools like top or ps, as the hider continuously masks the mining software from being detected in the system’s process listings. Additionally, the malware executes several other payloads designed to persist on the compromised system and further its lateral movement across the network.

Lateral movement is a key component of this cryptojacking campaign. Once the initial container is infected, the malware deploys additional scripts to spread the infection to other containers, Docker hosts, and Kubernetes clusters. The kube.lateral.sh script, for example, is specifically designed to target Kubernetes nodes. This script disables system firewalls, removes monitoring tools, and manipulates the system’s DNS configurations to ensure smooth operation of the malware. It also installs tools like Masscan and ZGrab, which the attackers use to scan for Kubernetes nodes with exposed Kubelet APIs. By exploiting the Kubelet API, attackers can deploy additional containers to further propagate the malware and maintain control over the network. The attackers also utilize other techniques to ensure persistence, such as modifying SSH configurations to enable remote access and execute additional malicious scripts across different cloud environments.

This multi-layered approach to cryptojacking demonstrates the growing sophistication of cybercriminals targeting cloud-native technologies, such as Docker and Kubernetes. The ability to exploit widely used orchestration platforms for mining cryptocurrency at scale is a reminder of the potential vulnerabilities present in these environments. It also highlights the importance of securing containerized infrastructures and ensuring that Docker and Kubernetes APIs are properly protected from unauthorized access. As cloud computing continues to grow, organizations must be vigilant in securing their systems against these evolving threats to prevent financial losses and operational disruptions.

References

• Threat Actors leverage Docker Swarm and Kubernetes to mine cryptocurrency at scale